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ABSTRACT 


A  new  verification  strategy  for  iterative  programs  is 
described.  The  technique  is  based  on  the  idea  of  applying  a 
correctness/incorrectness  preserving  transformation  to  the  pro¬ 
gram  to  be  verified.  The  transformation  is  performed  in  such  a 
way  that  the  new  program  is  substantially  easier  to  verify  than 
the  original.  Examples  which  illustrate  the  use  of  the  technique 
are  presented.  The  method  is  compared  and  contrasted  with 
subgoal  induction  and  the  inductive  assertion  technique. 


KEYWORDS  and  PHRASES:  program  verification,  proof  transformation, 
reduction  hypothesis,  subgoal  induction,  inductive  assertion 
technique 

CR  CATEGORIES:  5.24 


1.  Introduction 


The  difficulties  associated  with  the  general  verification  of 
computer  programs  are  well  known.  Chief  among  these  difficulties 
is  the  problem  of  creating  a  suitable  inductive  hypothesis  (e.g. 
loop  invariant)  for  programs  which  use  iteration  or  recursion.  A 
large  number  of  guidelines  or  heuristics  for  the  construction  of 
these  hypotheses  have  appeared  in  the  literature.  Particularly 
promising  are  results  in  [Mills  75,  Basu  &  Misra  75,  wegbreit  77, 
Morris  &  Wegbreit  77]  which  show  that  for  a  particular  class  of 
program/specification  pairs,  an  adequate  inductive  hypothesis  can 
be  obtained  in  a  straightforward  deterministic  manner.  A  conse¬ 
quence  of  this  determinism  is  that  for  a  verification  problem  in 
this  class,  the  program  can  be  proven/d isproven  correct  with 
respect  to  its  specification  (assuming  termination)  by  testing 
several  verification  conditions  based  on  the  specification  and 
characteristics  of  the  program  components.  Unfortunately,  this 
class  is  rather  restricted  and,  as  a  result,  many  verification 
problems  which  arise  naturally  in  practice  are  not  covered  by 
these  results. 

In  this  report,  a  verification  strategy  is  described  which 
is  based  on  the  idea  of  applying  a  correctness/incorrectness 
preserving  transformation  to  the  program  under  consideration. 
The  motivation  behind  the  transformation  is  to  produce  a  verifi¬ 
cation  problem  such  that,  in  a  manner  similar  to  that  in  the 
above  mentioned  work,  an  inductive  hypothesis  can  be  created  in  a 
deterministic  fashion.  Thus  we  are  proposing  replacing  the  prob¬ 
lem  of  synthesizing  an  inductive  hypothesis  with  one  of  discover¬ 
ing  an  adequate  correctness/incorrectness  preserving  transforma¬ 
tion.  In  a  number  of  examples  we  have  studied,  the  latter  prob¬ 
lem  appears  to  be  more  tractable. 

In  the  remainder  of  this  section  we  discuss  a  general  verif¬ 
ication  problem  which  occurs  often  in  practice  and  then  suggest 
the  idea  of  a  transformation  as  a  means  to  solve  the  problem.  A 
number  of  heuristics  for  discovering  an  appropriate  transforma¬ 
tion  are  given  in  Section  2  and  are  illustrated  with  examples. 
In  Section  3,  the  proposed  solution  is  compared  and  contrasted 
with  the  inductive  assertion  and  subgoal  induction  approaches  to 
the  verification  problem.  Finally,  the  application  of  the  tech¬ 
nique  to  more  complex  program  forms  is  discussed  in  Section  4. 

In  our  analysis,  we  will  consider  a  program  P  of  the  form 

X  :  =  K  ( X)  ; 

while  B (X)  do 
X  :=  H  (X) 
od ; 

X  :=  Q ( X) 

where  X  is  the  program  data  state,  K,  H  and  Q  represent  data- 
state-to-data-state  functions  and  B  is  a  predicate  on  the  data 


state.  For  the  present  we  assume  each  of  the  functions  and  the 
predicate  is  explicitly  known;  this  requirement  regarding  the 
function  Q  is  relaxed  in  Section  4.  We  assume  that  the  program 
specification  is  formulated  as  a  function  mapping  the  input  data 
state  to  the  portion  of  the  output  data  state  which  corresponds 
to  the  program  variables  whose  final  values  are  of  interest.  We 
will  use  a  function  e  which  extracts  from  any  data  state  the  data 
state  portion  corresponding  to  these  variables.  If  f  is  the 
specification  function,  the  domain  of  f,  written  D(f),  is  the  set 
of  input  data  states  for  which  a  corresponding  output  is  speci¬ 
fied.  Furthermore,  the  notation  [P]  will  be  used  for  the  data- 
state-to-data-sta te  function  computed  by  the  program  P.  Thus  for 
this  verification  problem,  P  is  correct  with  respect  to  its 
specification  function  f  if  and  only  if  for  any  X  in  D(f),  [P]  (X) 

is  defined  and  f  ( X)  =e  ( [P ]  (X)  )  . 


Let  TAIL  be  the  portion  of  P  which  follows  the  initializa¬ 
tion  X  :=  K  ( X)  ,  i.e.  TAIL  is  the  WHILE  loop  followed  by  the 
assignment  X  :=  Q(X).  We  begin  with  the  following: 

Observation  1  -  P  is  correct  with  respect  to  (wrt)  f  if  and 
only  if  (iff)  TAIL  is  correct  wrt  the  input/output  relation 
g  =  {(X,Y)  I  }X0  e  D(f)  }-  (K(X0)=X  &  f(X0)=Y)}. 

That  is,  P  is  correct  wrt  f  iff  on  data  states  X  which  are 
output  by  K  on  input  XO  S  D(f),  TAIL  produces  f(X0)  .  For  the 
moment,  we  make  the  following  two  assumptions: 

FUNCTION:  The  relation  g  is  a  function,  i.e. 

K(X0)=K(X1)  ->  f(X0)=f(Xl) 
for  all  XO,  XI  G  D(f),  and 

CI/DSURE:  The  WHILE  loop  is  closed  [Basu  &  Misra  75]  for  the 

domain  of  g ,  i.e. 

K(X0)=X,  B (X)  ->  4  XI  6  D(f)  h  K ( Xl ) =H (X) 

for  all  XO  G  D ( f ) . 

Given  these  two  assumptions,  it  is  easy  to  state  the  neces¬ 
sary  and  sufficient  verification  conditions  for  the  correctness 
of  TAIL  (assuming  termination)  wrt  g.  These  are  (adapted  from 
[Mills  75,  Basu  &  Misra  75,  Morris  &  Wegbreit  77] ) 

X  G  D(g)  ,  B  (X)  ->  g(X)=g(H(X)  ) 

X  G  D(g) ,  ~B (X)  ->  g (X) =e (Q(X) ) 

and  are  called  the  iteration  and  boundary  conditions,  respec¬ 
tively,  in  [Misra  78]  .  They  are  equivalent  to 
XO  G  D(f),  K  ( XO )  =X ,  B  (X)  ->  g(X)*g(H(X)) 

XO  G  D  (  f )  ,  K  ( XO )  =X ,  ~B  (X)  ->  g(X)=e(Q(X)) 
i.e. 

XOGD(f),  B (K (XO) )  ->  g(K(X0) )=g(H(K(X0) ) ) 

XO  G  D(f),  ~B (K(X0) )  ->  g(K(X0) )=e(Q(K(X0) ) ) 
i.e. 

X0,X1  6  D(f),  B (K(XQ) ) ,  K ( Xl) =H (K ( XO ) )  ->  g (K (XO) ) «g (K (Xl) ) 

XO  6  D(f)  , ~B (K (XO) )  ->  g(K(X0) )=e(Q(K(X0) ) ) 

i.e. 

ITERATION: 
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X0,X1  e  D(f),  B (K (XO ) ) ,  K(Xl)=H(K(XO) )  ->  f(XO)=f(Xl) 

BOUNDARY : 

XO  S  D(f)  ,~B (K(XO) )  ->  f (XO)=e(Q(K(XO) ) ) . 

We  conclude  as  follows: 

Observation  2  -  Suppose  FUNCTION  and  CLOSURE  hold.  P  is 
correct  wrt  f  (assuming  termination)  iff  ITERATION  and  BOUNDARY 
hold. 


Example  1  -  Consider  the  following  program 

{ a> =0 } 
a  :=  a/2; 

while  a  0  { 0 , 1 }  do 
a  :=  a  -  2 
od ; 

a  :  =  (if  a=0  then  1  else  0) 

{ a=EVEN  (aO/2) 

In  this  program,  the  data  state  consists  of  the  single  integer 
variable  a  and  will  be  represented  by  <a> .  The  function  EVEN  (a) 
appearing  in  the  program  postcondition  returns  1  if  its  argument 
is  even  and  0  otherwise.  The  specification  function  f  for  this 
program  is 

f(<a0>)=a  <->  a0>=0  &  a=EVEN(aO/2) 
which  implies 

<a0>  G  D(f)  <->  a0>  =  0. 

This  program  relates  to  the  general  program  form  above  as  follows 
K(<a0>)=<a>  <->  a=a0/2 
B  < <a> )  <->  a  0  {  0 , 1} 

H,<a0>)=<a>  <->  a=a0-2 

Q(<a0>)=<a>  <->  (a0=0  &  a=l)  OR  (a0/0  &  a=0) 
e  ( <a> ) =a. 

Note  that  assumptions  FUNCTION  and  CLOSURE  hold.  If  the  program 
terminates  for  all  inputs  in  D(f),  it  is  correct  wrt  its  specifi¬ 
cation  iff  conditions  ITERATION  and  BOUNDARY  hold.  These  can  be 
wr  itten 

a0>=0 ,  al>=0,  aO/2  0  {0,l},  al/2=a0/2  -  2 

->  EVEN (aO/2) =EVEN (al/2) 

and 

a0>  =  0 ,  aO/2  €  { 0 , 1 }  ->  EVEN (aO/2)  =  ( if  a0/2=0  then  1  else  0) 
respectively. 

At  this  point  we  stop  to  consider  the  assumptions  we  have 
made.  Suppose  assumption  FUNCTION  is  false,  but  CLOSURE  holds. 
Thus  we  have  XO ,  XI  6  D(f)  satisfying 
K(X0)=K(X1)  &  f(X0)/f(Xl). 

Now  if  B (K(X0) ) ,  then  K(X2) =H (K(X0) )  for  some  X2  G  D(f)  by  CLO¬ 
SURE.  If  ITERATION  was  valid,  we  would  have  f(X0)=f(X2)  as  well 
as  f(Xl)=f(X2).  Since  this  contradicts  our  hypothesis,  ITERATION 
does  not  hold.  On  the  other  hand,  suppose  ~B(K(X0)).  If  BOUN¬ 
DARY  held,  we  would  have  f ( XO ) =e (Q ( K (XO ) ) )  as  well  as 
f  (Xl)=e(Q(K(Xl)  )  )  .  The  contradiction  leads  us  to  conclude  that 


if  FUNCTION  is  false,  but  CLOSURE  holds,  (at  least)  one  of  ITERA¬ 
TION  and  BOUNDARY  is  false.  Since  FUNCTION  being  false  implies  P 
is  not  correct  wrt  f  (i.e.  [P ]  (XO ) =  [P ]  (XI) ,  but  f (XO)^f (Xl) ) , 
this  leads  us  to  the  following: 

Observation  3  -  Suppose  CLOSURE  holds.  P  is  correct  wrt  f 
(assuming  termination)  iff  ITERATION  and  BOUNDARY  hold. 

Unfortunately,  it  is  much  more  difficult  to  deal  with  the 
reliance  on  assumption  CLOSURE.  We  can,  however,  gain  insight 
into  the  problem  by  studying  CLOSURE  and  its  relation  to  condi¬ 
tion  ITERATION.  Imagine  P  executing  on  some  input  in  D(f)  and 
consider  the  sequence  of  intermediate  data  states  on  which  the 
predicate  B  is  evaluated.  CLOSURE  requires  that  each  of  these 
intermediate  states  be  "reachable"  through  the  function  K  for 
some  input  element  of  D(f).  It  is  this  reachability  that  enables 
condition  ITERATION  to  test  whether  this  sequence  of  states  stays 
on  the  right  "track,"  or  more  specifically,  that  the  inverse 
images  of  these  states  through  K  remain  in  the  same  level  set  of 
f . 


Most  often  in  practice,  however,  the  purpose  of  the  initial¬ 
ization  K  is  to  "constrain"  the  data  state,  thereby  providing 
some  specific  "starting  point"  for  the  loop  execution.  In  this 
case,  the  intermediate  data  states  will  not  be  reachable  through 
K  and,  as  a  result,  condition  ITERATION  may  well  hold  for  the 
simple  reason  that  it  is  vacuously  true,  i.e.  the  term 
K ( Xl) =H (K (XO ) )  will  be  false  for  all  XI.  Rather  than  abandoning 
this  approach  to  the  verification  of  P,  however,  the  solution 
suggested  here  is  to  "correct"  the  problem  and  proceed. 

Consider  substituting  for  K  a  suitable  replacement  initiali¬ 
zation  K" .  By  "suitable"  here,  we  mean  that  the  output  of  K' 
must  be  sufficiently  unconstrained  so  that  CLOSURE  holds  for  K' , 
and  furthermore,  that  the  substitution  preserves  the  termination 
and  correctness/incorrectness  properties  of  the  program  P.  The 
following  definition  formalizes  this  idea. 

Definition  -  Let  P'  be  the  program  P  with  the  initialization 
K  replaced  by  K"'.  K'  is  a  reduction  hypothesis  iff  CLOSURE  holds 
for  K'  and  each  of 

TERMINATES:  For  inputs  in  D(f),  P  terminates  ->  P'  terminates, 
and 

PRESERVES:  P  is  correct  wrt  f  iff  P"  is  correct  wrt  f 

is  satisfied. 

The  significance  of  the  definition  is  that  once  a  reduction 
hypothesis  K"  has  been  located,  we  can  prove/disprove  the 
correctness  of  the  original  program  by  proving  its  termination 
and  verifying  ITERATION  and  BOUNDARY  with  K'  substituted  for  K. 

The  proposed  solution  of  finding  a  reduction  hypothesis  is 
analogous  to  finding  an  adequate  loop  invariant  for  an  inductive 
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assertion  proof  [Hoare  69],  or  finding  an  appropriate  loop  func¬ 
tion  for  a  functional  [Mills  75]  or  subgoal  induction  [Morris  a 
Wegbreit  77]  proof.  We  justify  proposing  an  alternative  to  these 
standard  techniques  for  the  following  reasons: 

a)  a  reduction  hypothesis  has  a  unique  intuition  behind  it; 

in  a  number  of  cases,  this  leads  rather  naturally  to  a 
solution, 

b)  the  class  of  reduction  hypotheses  bears  an  interesting 

relationship  to  the  class  of  adequate  loop  invariants 
for  P, 

c)  unlike  the  technique  of  inductive  assertions,  it  is  possible 

to  disprove  an  incorrect  program  without  considering  the 
program  beyond  the  loop,  i.e.  by  disproving  ITERATION, 

d)  in  the  case  there  is  no  initialization  (i.e.  K  is  the 

identity  function)  and  the  loop  is  closed  for  D(f)  (or, 
more  generally,  any  time  CLOSURE  holds  for  K)  ,  a  very 
efficient  proof  results  since  K  itself  is  a  reduction 
hypothesis,  and 

e)  the  reduction  hypothesis  solution  provides  continuity 

between  the  cases  where  CLOSURE  does  and  does  not  hold; 
an  understanding  of  "why"  CLOSURE  does  not  hold,  for 
example,  can  provide  insight  into  how  to  create  K"  from  K. 


Constructing  a  Reduction  Hypothesis 


In  this  section  we  will  consider  several  heuristics  for 
creating  a  reduction  hypothesis  for  P  and  will  illustrate  their 
use  on  example  programs.  We  begin  with  some  preliminary  remarks. 


In  the  discussion  in  the  preceding  section,  we  assumed  that 
the  program  pieces  corresponding  to  K,  H  and  Q  were  determinis¬ 
tic  ,  that  is,  we  assumed  their  semantics  (i.e.  their  input/output 
behavior)  could  be  represented  by  data-state-to-data-state  func¬ 
tions.  The  above  results,  however,  extend  in  the  natural  way  to 
the  case  where  subprograms  in  P  are  nondeterministic  provided  one 
switches  to  a  slightly  more  awkward  relational  notation  for 
representing  these  subprograms.  In  particular,  we  will  be 
interested  in  the  case  where  the  initialization  is  nondeterminis¬ 
tic  since  it  turns  out  that  this  kind  of  initialization  is  often 
a  reasonable  choice  for  a  reduction  hypothesis.  If  this  new  ini¬ 
tialization  is  represented  by  a  data-state-to-data-state  relation 
K",  ITERATION  and  BOUNDARY  translate  to 
ITERATION" : 

X0,X1  €  D(f),  K"(X0,X),  B (X) ,  K" (Xl ,H (X) )  ->  f(X0)=f(Xl) 
BOUNDARY ' : 

XO  G  D  (  f )  ,  K"  ( XO  ,  X)  ,  ~B  (X)  ->  f  (X0)=e(Q(X)  )  , 

where  K"(X0,X)  is  a  notation  we  will  use  which  stands  for  (X0,X) 
6  K". 


Now  suppose  this  relation  K"  satisfies  CLOSURE,  i.e. 

K"(X0,X)  S,  B  (X)  ->  ■}  XI  €  D(f)  y  K"(X1,H(X)) 

for  all  XO  6  D(f).  The  program  P"  derived  from  P  by  replacing 
the  initialization  K  with  K",  i.e.  by  replacing 
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with 


X  :=  K  ( X) 


X  :=  "any  Y  satisfying  K'(X,Y)", 

is  correct  wrt  f  (assuming  termination)  iff  ITERATION'  and  BOUN¬ 
DARY'  hold.  If  K'  has  been  chosen  so  as  to  be  a  reduction 
hypothesis,  the  original  P  is  correct  wrt  f  iff  P  terminates  for 
inputs  in  D(f)  and  ITERATION'  and  BOUNDARY'  hold. 

As  an  aid  in  expressing  nondeterministic  program  segments, 
we  will  use  a  notation  defined  in  [Dijkstra  76].  Specifically, 
an  execution  of  the  program 
if  Bl (X)  ->  PI 

T  B2  (X)  ->  P2 


|  Bn (X)  ->  Pn 

fi 

calls  for  the  execution  of  any  single  program  Pi  provided  guard 
Bi  (X)  holds. 

We  now  consider  two  opposing  alternatives  to  constructing 
K'.  Each  is  based  on  a  different  philosophy  for  insuring  that 
PRESERVES  is  satisfied.  The  first  is  a  progr am-or iented  approach 
and  is  characterized  by  selecting  K'  so  that  the  programs  P  and 
P'  are  equivalent,  i.e.  so  that  P  and  P'  exhibit  identical 
input/output  behavior.  Such  a  K'  trivially  guarantees  PRESERVES 
is  satisfied.  The  other  approach  is  a  specif ication-or iented 
approach  and  is  characterized  by  selecting  K'  as  a  superset  of  K 
in  such  a  way  that  executions  of  P'  which  use  the  extended  aspect 
of  the  initialization  are  guaranteed  to  be  correct,  i.e.  execute 
in  accordance  with  the  program  specification.  Such  a  K'  satisfies 
PRESERVES  since  the  correctness  of  P'  implies  the  correctness  of 
P  (since  K'  is  a  superset  of  K)  and  the  correctness  of  P  implies 
the  correctness  of  P'  (the  additional  execution  paths  in  P'  are 
known  to  be  correct) .  Thus  each  approach  chooses  a  different 
technique  aimed  at  meeting  PRESERVES.  If,  in  addition,  CLOSURE 
holds  for  this  new  initialization  and  TERMINATES  is  satisfied, 
then  K'  is  a  reduction  hypothesis. 

We  will  begin  by  considering  several  program-oriented 
heuristics  and  will  make  use  of  the  following  definition. 

Definition  -  Let  G  be  a  data-state-to-data-state  relation 
and  let  P'  be  the  program  P  with  initialization  K  replaced  by  G. 
G  is  an  alternative  initialization  to  K  iff  P  and  P'  have  identi¬ 
cal  input/output  behavior  for  inputs  in  both  D(f)  and  D(G)  . 

Thus  if  G  is  an  alternative  initialization  to  K,  then,  for  a 
restricted  set  of  inputs,  G  can  be  used  in  place  of  K  without 
affecting  the  externally  observable  behavior  of  P.  In  what  fol¬ 
lows,  we  will  make  use  of  the  following  properties  which  are 
derived  trivially  from  this  definition: 
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K  is  an  alternative  initialization  to  itself, 

the  union  of  any  number  of  alternative  initializations  is 
an  alternative  initialization,  and 

any  subset  of  an  alternative  initialization  is  an 
alternative  initialization. 

Our  interest  in  alternative  initializations  is  due  to  the  follow¬ 
ing  theorem. 

Theorem  JL  -  Any  alternative  initialization  G  whose  domain 
includes  D(f)  and  which  satisfies  CLOSURE  is  a  reduction 
hypothesis . 

Proof  -  Let  G  meet  the  conditions  stated  in  the  theorem  and 
let  P"  stand  for  the  program  P  with  initialization  G  substituted 
for  K.  From  the  definition  of  an  alternative  initialization,  P 
and  P^  have  identical  input/output  behavior  over  D(f).  Thus  TER¬ 
MINATES  and  PRESERVES  are  trivially  satisfied  and  G  is  a  reduc¬ 
tion  hypothesis. 

The  implication  of  Theorem  1  is  that  a  reduction  hypothesis 
may  be  created  by  discovering  a  suitable  alternative  initializa¬ 
tion.  This  is  the  basis  for  all  program-oriented  approaches  to 
synthesizing  a  reduction  hypothesis.  The  following  theorem  sug¬ 
gests  three  techniques  for  constructing  alternative  initializa¬ 
tions. 

Theorem  2  (Program-Oriented  Heuristics)  -  Let  Kl ,  K2  and  K3 
be  any  functions  satisfying 

LONGCUT:  Kl  (X)  =Y  ->  B  (Y)  &  H(Y)=K(X) 

SHORTCUT:  K2(X)=Y  ->  B(K(X))  &  Y=H(K(X)) 

NOCUT:  K3  (X)  =Y  ->  B(K(X))  &  B  (Y)  &  H(Y)=H(K(X)) 
for  all  X  €  D(f).  Then  each  of  Kl,  K2  and  K3  is  an  alternative 
initialization. 

Proof  -  We  will  make  repeated  use  of  the  WHILE  loop  property 
B  (X)  ->  (TAIL]  (X)  =  [TAIL]  (H  (X)  )  . 

Let  X  0  D(f)  and  X  G  D(Kl)  .  Then 

[TAIL]  (Kl  (X)  )  =  [TAIL]  (H  (Kl  (X)  )  )  =  [TAIL]  (K(X)  )  =  [P]  (X)  , 
hence  Kl  is  an  alternative  initialization.  Let  X  €  0(f)  and  X  G 
D(K2) .  Then 

[TAIL]  (K2  (X)  )  =  [TAIL]  (H  (K  (X)  )  )  =  [TAIL]  (K  ( X)  )  =  [P ]  ( X)  , 
hence  K2  is  an  alternative  initialization.  Finally,  let  X  6  D(f) 
and  X  €  D(K3) .  Then 

[TAIL]  (K3  (X)  )  =  [TAIL]  (H  (K3  (X)  )  )  =  [TAIL]  (H  (K  (X)  )  ) 

=  [TAI L]  (K  (X)  )  =  [F]  (X)  , 

hence  K3  is  also  an  alternative  initialization. 

The  labels  on  the  conditions  in  Theorem  2  are  motivated  by 
the  effect  replacing  K  with  the  alternative  initializations  has 
on  the  number  of  iterations  of  the  WHILE  loop.  Kl  causes  the 
loop  to  execute  1  additional  iteration,  K2  saves  the  loop  an 
iteration,  and  K3  has  no  effect  on  the  number  of  iterations.  The 
significance  of  the  theorem  is  that  any  combination  of  K,  Kl ,  K2 


and  K3  whose  domain  includes  D(f)  and  which  satisfies  CLOSURE  is 
a  reduction  hypothesis. 

We  now  define  a  specification-oriented  heuristic  for  creat¬ 
ing  a  reduction  hypothesis. 

Theorem  3  (Specification-Oriented  Heuristic)  -  Let  G  be  any 
alternative  initialization  to  K  whose  domain  includes  D(f)  and 
let  K4  be  any  function  satisfying 

VERYSHORTCUT:  K4  (X)  =Y  ->  ~B(Y)  &  e  ( Q  ( Y)  )  =f  ( X)  . 

Let  K'  be  the  union  of  G  and  K4  and  suppose  K'  satisfies  CLOSURE. 
Then  K'  is  a  reduction  hypothesis. 

Proof  -  Let  K'  be  as  stated  in  the  theorem  and  let  P"  stand 
for  the  program  P  with  initialization  K'  substituted  for  K.  Let 
X  G  D ( f )  and  suppose  P  terminates  for  input  X.  If  P'  executes  on 
X  and  the  aspect  of  the  initialization  K'  from  G  is  used,  P'  must 
also  terminate  since  G  is  an  alternative  initialization  to  K;  if 
the  aspect  of  the  initialization  K'  from  K4  is  used,  P'  must  ter¬ 
minate  since  the  output  of  K4  causes  B  to  evaluate  to  false. 
Hence  in  any  case,  P'  terminates  on  the  input  X  and  TERMINATES 
holds.  The  remainder  of  the  proof  consists  of  showing  that 
PRESERVES  is  satisfied.  Suppose  P  is  correct  wrt  f.  Let  X  G 
D(f).  If  P"  executes  on  X  and  the  aspect  of  the  initialization 
K'  from  G  is  used,  then  P'  is  also  correct  on  the  input  X  since  G 
is  an  alternative  initialization  to  K;  if  the  aspect  of  the  ini¬ 
tialization  K'’  from  K4  is  used,  then  P"  must  produce 
e(  [TAIL]  (K4  (X)  )  )=e(Q(K4  (X)  )  )=f  (X)  , 
hence  P'  is  again  correct  on  the  input  X.  Thus  in  any  case,  the 
program  P'  is  correct  wrt  f.  To  show  the  converse,  suppose  P"  is 
correct  wrt  f.  We  must  show  that  this  implies  P  is  correct  wrt 
f.  Let  X  G  D ( f )  .  Then  X  G  D(G)  .  By  the  correctness  of  P'  and 
the  fact  that  K'  includes  G,  the  program  P"  derived  from  P  by 
replacing  the  initialization  K  with  G  produces  f(X)  for  the  input 
X.  Since  G  is  an  alternative  initialization  to  K,  P  and  P" 
exhibit  identical  input/output  behavior  for  X,  hence  P  produces 
f ( X)  for  the  input  X  and  thus  P  is  correct  wrt  f.  This  completes 
the  proof  of  the  theorem. 

As  in  Theorem  2,  the  label  on  the  condition  in  Theorem  3  is 
used  to  suggest  the  effect  the  initialization  K4  has  on  the  exe¬ 
cution  of  the  program.  The  output  of  a  function  satisfying  VER¬ 
YSHORTCUT  causes  the  predicate  B  to  evaluate  to  false,  and  conse¬ 
quently,  the  WHILE  loop  in  P  will  execute  zero  times.  We  repeat 
that  the  functions  K1 ,  K2  and  K3  represent  program-oriented 
heuristics  since  they  are  designed  specifically  to  preserve  the 
effect  of  the  program  P  (possibly  over  a  restricted  domain). 
Function  K4 ,  on  the  other  hand,  represents  a  specification- 
oriented  heuristic  since  its  purpose  is  to  insure  program 
behavior  which  is  in  agreement  with  the  program  specification. 
Now  that  these  heuristics  have  been  defined,  we  will  illustrate 
their  use  with  a  number  of  examples. 
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Example  2  -  This  example  illustrates  a  circumstance  in  which 
assumption  CLOSURE  "almost"  holds  but  "not  quite."  In  this 
situation  it  may  be  clear  how  to  "expand"  the  initialization  in 
order  to  satisfy  CLOSURE  in  such  a  way  that  preserves  the  effect 
of  the  program.  The  program 


{ a>  =  0 } 
a  :=  a*2; 
while  a> 0  do 
a  :=  a  -  1; 
b  :  =  b  +  1 
od ; 
a  :=  b 

{ a=a0*2  +  bO } 


does  not  satisfy  CLOSURE  since  only  even  values  of  a  are  output 
from  the  initialization  K  and  the  WHILE  loop  is  not  closed  for 
this  set.  This  problem  could  be  "fixed"  by  supplementing  K  with 
another  initialization,  selected  nondeterministically,  which  pro¬ 
duced  odd  values  of  a.  The  combined  effect  would  be  an  initiali¬ 
zation  which  was  capable  of  producing  all  (nonegative)  values  of 
a  and  would  consequently  satisfy  CLOSURE.  Based  on  this  reason¬ 
ing,  we  could  supplement  K  with  the  initialization 
a  :  =  a*2  +  1 , 

but  an  inspection  of  the  loop-body  text  indicates  that  we  must 
compensate  in  this  case  by  subtracting  1  from  b  if  the  effect  of 
the  program  is  to  be  preserved.  This  is  actually  an  application 
of  heuristic  LONGCUT  of  Theorem  2;  specifically,  the  initializa- 
t  ion 

K1 ( <a0 , b0> ) =<a , b>  <->  a=a0*2+l  &  b=bO-l. 
satisfies  LONGCUT  and  is  thus  (by  Theorem  2)  an  alternative  ini¬ 
tialization.  In  the  above  notation  for  nondeterminacy,  the  com¬ 
bined  initialization  may  be  written 
if  TRUE  ->  a  :=  a*2 
~[  TRUE  ->  a  :=  a*2  +  1;  b  :=  b-1 
f  i . 

and  the  relation  K'  which  represents  this  initialization  is 
K'(<aO,bO>,<a,b>)  <->  (  (a=a0*2  &  b=bO)  OR  (a=a0*2+l  &  b=bO-l) ) . 

Since  K'  is  the  union  of  two  alternative  initializations  (K  and 
Kl)  ,  K'  itself  is  an  alternative  initialization,  and  thus,  apply¬ 
ing  Theorem  1,  it  is  a  reduction  hypothesis.  Hence  the  program 
can  be  verified  correct  with  respect  to  its  spec  if ication  (assum¬ 
ing  termination)  by  showing  that  ITERATION'  and  BOUNDARY'  hold. 
Condition  ITERATION'  has  the  following  two  aspects,  which 
correspond  to  the  cases  where  a  is  even  and  odd,  respectively: 
a0>=0,  al>=0,  a=a0*2,  b=bO,  a>0,  al*2+l=a-l,  bl-l=b+l 

->  a0*2+b0=al*2+bl 


and 

a0>=0,  al>=0,  a=a0*2+l,  b=bO-l,  a>0,  al*2=a-l,  bl=b+l 

->  aO* 2+b0=al* 2+bl . 

These  can  be  simplified  (by  eliminating  aO ,  bO ,  al  and  bl)  to 
a>0  ->  a+b=  (a-2)  +  (b+2) 

and 
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a> 0  ->  (a-1)  + (b+1) = (a-1) + (b+1) , 
both  of  which  hold.  Condition  BOUNDARY "  is 
a0>=0,  a=a0*2,  b=bO ,  a<=0  ->  a0*2+b0=b 
which  simplifies  to 
a=0  ->  a+b=b, 
and  thus  also  holds. 

Example  3  -  We  noted  above  that  the  purpose  of  loop  initial¬ 
ization  is  often  to  set  the  data  state  to  some  specific  "starting 
point"  for  the  execution  of  the  loop.  Once  the  loop  begins  exe¬ 
cution,  the  data  state  leaves  this  starting  point  and  takes  on 
more  general  values.  With  this  in  mind,  we  note  that  the  program 
P  is  equivalent  to  the  program 

X  :=  H  ( K ( X)  )  ; 

while  B (X)  do 
X  :=  H (X) 
od ; 

X  :=  Q ( X) 

on  executions  of  P  which  require  at  least  one  loop  iteration. 
Since  the  initialization  in  this  new  program  includes  an  execu¬ 
tion  of  the  loop  body,  the  hope  is  that  the  output  of  the  new 
initialization  will  be  general  enough  to  satisfy  CLOSURE.  This 
observation  is  the  motivation  behind  heuristic  SHORTCUT  in 
Theorem  2  and  can  be  applied  as  follows:  convert  (if  necessary) 
the  verification  problem  to  one  over  a  domain  where  the  loop  will 
execute  at  least  once  and  try  the  initialization  H  o  K  for  the 
reduction  hypothesis  K'  (where  "o"  stands  for  function  composi¬ 
tion)  .  As  an  illustration,  consider  the  program 

pa  :=  0; 

while  s  ?  NULL  do 

pa  :=  pa  +  head ( s)  ; 
s  :=  tail(s) 
od ; 

if  pa  <=  0  then  pa  :=  0  else  pa  :=  1  f i 

rpa=PAVG(sOyr“ 

which  determines  whether  the  arithmetic  average  of  the  integers 
appearing  in  the  sequence  s  is  positive  or  negative.  The  func¬ 
tion  head(s)  for  a  nonempty  sequence  s  returns  the  lead  element 
in  s,  tail(s)  returns  s  with  head(s)  removed,  and  NULL  denotes 
the  sequence  containing  0  elements.  The  function  PAVG(sO) 
appearing  in  the  postcondition  has  the  value  1  if  the  average  of 
the  elements  of  sO  is  positive  and  0  otherwise.  CLOSURE  is  not 
satisfied  for  this  ptogram  since  pa  takes  on  values  other  than  0 
as  the  loop  iterates.  Suppose  we  can  convince  ourselves  that  the 
program  executes  correctly  when  the  input  s  is  the  empty  sequence 
and  the  loop  is  bypassed.  The  remainder  of  the  proof  then  con¬ 
sists  of  verifying  the  program  assuming  the  precondition 
{ s^NULL} .  Accordingly,  we  will  now  use  the  program  specification 
function 


f ( <paO , sO> ) =pa  <->  sO^NULL  &  pa=PAVG(sO). 

The  heuristic  suggested  above  is  to  try  the  initialization 
K2  ( <paO , s0> , <pa, s>)  <->  sO^NULL  &  pa=head(sO)  &  s=tail(sO) 

as  a  reduction  hypothesis.  This  function  satisfies  SHORTCUT  and 
is  thus  an  alternative  initialization.  Its  domain  includes  D(f) 
(i.e.  {<pa,s>  |  s^NULL})  and  since  it  satisfies  CLOSURE,  it  is  a 
reduction  hypothesis.  To  apply  this  result  in  a  demonstration  of 
the  correctness  of  the  program,  we  must  show  ITERATION"  and  BOUN¬ 
DARY'  hold  (using  K2  for  K") .  Condition  ITERATION"  is 
sO^NULL,  sl^NULL,  pa=head(sO),  s=tail(sO),  s^NULL, 

pa+head ( s) =head ( si) ,  tail(s) =tail(sl)  ->  PAVG ( sO) =PAVG ( si) 
which  simplifies  to 

s^NULL  ->  PAVG ( <pa> | | s) =PAVG ( <pa+head ( s) > | | tail(s) ) . 
where  <x>  is  the  sequence  containing  the  single  element  x  and  |  | 
denotes  concatenation  of  sequences.  Condition  BOUNDARY"  is 
sO^NULL,  pa=head(sO),  s=tail(sO),  s=NULL 

->  PAVG ( sO) =POSITIVE (pa) 

where  POSITIVE  (pa)  is  a  function  which  has  the  value  1  if  pa  is 
positive  and  0  otherwise.  This  condition  simplifies  to 
sO=<pa>  ->  PAVG ( sO) ^POSITIVE (pa)  . 

Example  4  -  We  now  illustrate  an  application  of  the 

specification-oriented  heuristic  VERYSHORTCUT  of  Theorem  3. 
Since  any  output  Y  of  a  function  K4  satisfying  VERYSHORTCUT  must 
satisfy  ~B  (Y)  ,  this  approach  is  most  appropriately  used  when  CLO¬ 
SURE  holds  for  all  loop  iterations  except  the  last,  i.e.  the  only 
lack  of  values  in  the  range  of  K  is  where  B  is  FALSE.  The  idea 
is  to  add  to  the  initialization  the  production  of  these  values  in 
such  a  way  that  assures  the  correct  execution  of  the  program. 
The  following  program  serves  to  illustrate  this  kind  of  tech¬ 
nique.  It  searches  a  linked  list  for  an  element  containing  a  key 
field  with  the  value  17: 

found  :=  FALSE; 

while  p  f  NIL  &  "found  do 
if  p~.key=17  then 
found  :=  TRUE 
else  p  :=  p^.link  fi^ 
od 

{ found=INCHAIN (pO , 17) } 

The  program  notations  p'.key  and  p^.link  are  the  key  and  link 
fields,  respectively,  of  the  node  pointed  to  by  p.  A  link  field 
of  NIL  is  used  to  mark  the  end  of  the  list.  The  function 
INCHAIN  (pO  ,17)  appearing  in  the  postcondition  is  a  predicate 
which  holds  iff  the  chain  pointed  to  by  pO  contains  an  element 
with  a  key  field  of  17.  Note  that  since  there  is  no  program  text 
following  the  loop,  Q  is  the  identity  function.  CLOSURE  is  not 
satisfied  for  this  program  since  the  variable  found  may  take  on 
the  value  TRUE  on  the  last  loop  iteration.  The  initialization  is 
extended  by  alternatively  assigning  the  value  TRUE  to  found,  but 
only  in  the  case  where  INCHAIN  (p,  17)  holds.  Specifically,  we 
propose  to  supplement  the  given  initialization  with  the  function 
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K4 ( <foundO ,pO> ) =<found , p>  <->  INCHAIN (pO , 17)  &  p=pO  &  found 
to  yield  the  new  initialization 
if  TRUE  ->  found  :=  FALSE 
— T  INCHAIN (p, 17)  ->  found  :=  TRUE 
f  i . 

Note  that  K4  satisfies  VERYSHORTCUT,  i.e.  on  executions  of  the 
program  which  follow  the  second  path,  the  loop  body  is  bypassed 
and  the  program  necessarily  behaves  in  accordance  with  its 
specification.  The  combined  initialization  is  represented  by  the 
input/output  relation 

K" ( <foundO ,p0> , <found , p> )  <-> 

("found  OR  found=INCHAIN (pO , 17) )  &  p=pO . 

Since  arbitrary  values  of  found  and  p  may  emerge  from  this  ini¬ 
tialization,  CLOSURE  is  satisfied.  By  Theorem  3  (using  the  ori¬ 
ginal  initialization  K  for  G)  ,  K"  is  a  reduction  hypothesis.  We 
now  use  K"  to  state  the  necessary  and  sufficient  conditions 
(assuming  termination)  for  the  correctness  of  the  program. 
Corresponding  to  the  two  paths  through  the  loop  body  of  this  pro¬ 
gram,  there  are  two  ITERATION"*  conditions 

("found  OR  found=INCHAIN (pO , 17 ) ) ,  p=pO ,  p^NIL,  "found, 
P~.key=17,  ("TRUE  OR  TRUE=INCHAIN (pi ,17) ) ,  p=pl 

->  INCHAIN (pO, 17) =INCHAIN (pi, 17) 

and 

("found  OR  found=INCHAIN (pO ,17) ) ,  p=pO ,  p^NIL,  found, 

p~  .  key^l7  ,  ("FALSE  OR  FALSE=INCHAIN  (pi ,  17)  )  ,  p"'.link=pl 

->  INCHAIN (pO, 17) =INCHAIN (pi, 17) , 

which  simplify  to 

"found,  p^NIL,  p*'.key=17,  INCHAIN  (p,  17) 

->  INCHAIN  (p,  17)  =  INCHAIN  (p,  17) 

and 

"found,  p^NIL,  p^.key^l? 

->  INCHAIN  (p,  17)=INCHAIN(p*v  .link,  17)  , 
respectively.  Condition  BOUNDARY"  is 

("found  OR  found=INCHAIN (pO , 17) ) ,  p=pO,  (p=NIL  OR  found) 

->  found=INCHAIN(pO ,17) , 

which  simplifies  to 

(found  &  INCHAIN (p,  17)  )  OR  ("found  &  p=NIL) 

->  found=INCHAIN (p, 17) . 

Example  5  -  This  example  illustrates  a  circumstance  where 
several  of  the  above  heuristics  are  applied  in  order  to  create  a 
reduction  hypothesis.  The  following  program  sums  the  elements  of 
a  sequence: 

{s/null} 
sum  :=  3; 
while  s^NULL  do 

sum  :=  sum  +  head(s)  ; 
s  :=  tail(s) 
od ; 

{ sum=SUM ( sO) } . 

The  notation  SUM(sO)  appearing  in  the  postcondition  stands  for 
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the  summation  of  the  elements  of  sO .  We  begin  our  reasoning  as 
follows.  CLOSURE  is  not  satisfied  for  this  program  because  sum 
is  constrained  to  the  value  0  by  an  assignment  statement.  What 
would  be  the  effect  on  the  program  of  removing  this  assignment? 
After  the  first  loop  iteration,  sum  would  have  the  value 
sumO+head  ( sO )  ,  rather  than  head(sO).  We  could  compensate  for 
this  discrepancy  by  subtracting  sumO  from  head(sO)  before  the 
loop  begins  execution.  Thus  we  choose  to  replace  "sum:=0"  with 
"head  ( s)  :  =head  (  s) -sum.  "  This  is  an  application  of  heuristic  NOCUT 
of  Theorem  2.  Indeed,  the  function  corresponding  to  this  new 
initialization, 

K3 ( <sumO , s0> ) =<sum, s>)  <->  sO^NULL  &  s^NULL  &  sum=sumO  & 

head ( s) =head ( sO) -sumO  &  tail(s) =tail(sO) , 
satisfies  NOCUT  and  is  thus  an  alternative  initialization.  We 
note  that  CLOSURE  is  satisfied  for  this  initialization  on  all  but 
the  final  loop  iteration  (i.e.  K3  cannot  produce  an  output  which 
satisfies  s=NULL)  .  As  in  Example  4,  the  solution  under  these 
circumstances  is  to  supplement  the  initialization  with  a  function 
satisfying  VERYSHORTCUT;  in  this  example  such  a  function  would  be 
K4 ( <sumO , s0> ) =<sum, s>)  <->  sum=SUM(sO)  &  s=NULL. 

Note  that  the  output  of  K4  causes  B  to  evaluate  to  FALSE  and 
forces  the  program  to  be  correct  wrt  its  specification.  The  com¬ 
plete  initialization  is  then 

if  s^NULL  ->  head(s)  :=  head(s)  -  sum 
— f  TRUE  ->  sum  :=  SUM(s)  ;  s  :=  NULL 
f  i . 

Let  k7~ represent  this  initialization  (i.e.  let  K"  be  the  union  of 
K3  and  K4) .  By  Theorem  3  (using  K3  for  G) ,  K"  is  a  reduction 
hypothesis.  Corresponding  to  whether  K3  or  K4  is  used  in  the 
term  K"(X1,H(X)),  condition  ITERATION"*  has  the  following  two 
aspects : 

sO^NULL,  sum=sumO,  head ( s) =head ( sO ) -sumO ,  ta il ( s) =ta il ( sO ) , 
s^NULL,  sl^NULL,  ta i 1 ( s) ^NULL ,  sum+head ( s) =suml , 
head ( ta il ( s) ) =head (si) -suml ,  tail(tail(s))=tail(sl) 

->  SUM ( sO ) =SUM ( si ) 

and 

sO^NULL,  sum=sumO,  head ( s) =head ( sO) -sumO ,  ta il ( s) =ta il ( sO ) , 
s^NULL,  sum+head ( s) =SUM ( si) ,  tail(s)=NULL 
->  SUM ( sO ) =SUM ( si ) 
which  simplify  to 

S^NULL,  tail(s)  5*NULL  -> 

sum+head  ( s)  =SUM  ( ta  i  1  ( s)  )  = 

sum+head ( s) +head ( tail ( s) ) +SUM ( ta il ( ta il ( s)  )  ) 

and 

tail(s)=NULL  ->  sum+head  ( s) +SUM  ( ta  il  (  s)  )  =sum+head  (  s)  . 

Condition  BOUNDARY"  is 

sum=SUM(sO),  S=NULL  ->  SUM(sO)=sum. 

2-  Relation  to  Standard  Correctness  Techniques 

In  this  section,  we  discuss  the  relationship  between  the 
proposed  verification  strategy  and  the  subgoal  induction  [Morris 
&  Wegbreit  77]  (see  also  [Manna  &  Pnueli  70,  Manna  71]),  and 


I 


inductive  assertion  [Hoare  69]  correctness  techniques.  We  will 
define  these  methods  in  the  framework  of  the  verification  problem 
described  above,  i.e.  in  each  case  we  wish  to  prove/disprove  the 
program  P  correct  wrt  its  specification  function  f. 

All  three  techniques  call  for  creating  and  verifying  an 
hypothesis  concerning  some  aspect  of  the  behavior  of  P  and  then 
applying  the  hypothesis  to  prove/disprove  the  correctness  of  the 
program.  In  the  proposed  technique,  this  hypothesis  is  a  reduc¬ 
tion  hypothesis;  in  subgcal  induction,  we  will  refer  to  the 
hypothesis  as  a  tail  function ;  in  the  inductive  assertion  tech¬ 
nique,  the  hypothesis  is  an  adequate  inductive  assertion . 

A  tail  function  g  in  a  subgoal  induction  proof  is  a  general 
description  of  the  input/output  behavior  of  program  TAIL. 
Specifically,  g  has  the  same  functionality  as  the  specification  f 


and  must 

satis  fy 

each  of 

SI  1: 

X 

6  D(g)  , 

B  (X) 

->  H  (X)  G  D(g) 

SI  2 : 

X 

6  D(g)  , 

B  (X) 

->  g(X)  =g  (H  (X)  ) 

SI  3: 

X 

6  D(g)  , 

~B  (X) 

->  g(X)=e(Q(X)  ) 

SI  4 : 

X 

6  D(g) 

->  TAIL 

terminates  with  input  X 

SI  5; 

X 

6  D(f) 

->  K(X) 

6  D(g)  . 

The  first  four  of  these  conditions  establish  that  TAIL  is  correct 
wrt  g,  SI5  assures  that  D(g)  is  sufficient  for  testing  the 
correctness  of  the  program  P.  When  such  a  function  g  has  been 
found,  the  program  P  is  correct  wrt  f  iff 
SI  6;  X  6  D(f)  ->  g(K(X)  )=f  (X)  . 

In  the  inductive  assertion  technique,  an  adequate  inductive 
assertion  is  a  sufficiently  strong  invariant  relation  between 
initial  data  states  and  data  states  occurring  at  the  loop  predi¬ 
cate  B.  Specifically,  an  adequate  inductive  assertion  is  a 
binary  relation  A  over  the  data  state  of  P  which  satisfies 
IAl:  X  6  D(f)  ->  A (X, K ( X) ) 

IA2:  X  G  D(f),  A(X,Y),  B  (Y)  ->  A(X,H(Y)) 

IA3;  X  G  D  ( f )  ,  A(X,Y)  ->  TAIL  terminates  with  input  Y 
IA4:  X  G  D(f),  A(X,Y),  ~B(Y),  A(X,Z),  ~B(Z) 

->  e(Q(Y) ) =e(Q(Z) ) . 

If  we  view  X  and  Y  as  representing  the  initial  and  current  data 
states,  IAl  and  IA2  prove  that  A(X,Y)  is  a  "loop  invariant,"  IA3 
is  the  necessary  termination  condition  based  on  A,  and  IA4  tests 
whether  A  is  sufficiently  strong  to  verify  the  correctness  of  the 
program.  When  such  a  relation  A  has  been  found,  the  program  P  is 
correct  wrt  f  iff 

IA5;  X  G  D(f),  A(X,Y),  ~B(Y)  ->  f  ( X)  =e  (Q  ( Y)  )  . 

The  results  of  this  section  are  contained  in  the  following 
two  theorems.  They  define  a  relationship  between  the  three  forms 
of  program  hypotheses  and  give  a  technique  for  transforming  tail 
functions  and  adequate  inductive  assertions  into  reduction 
hypotheses. 
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Theorem  4  -  Let  g  be  a  tail  function  for  a  subgoal  induction 
proof  of  P,  and  let  K'  be  a  relation  defined  by 
K'’  ( XO  ,  X)  <->  g(K(X0)  )=g(X)  . 

Then  K"  is  a  reduction  hypothesis. 

Proof  -  We  must  prove  that  K"  satisfies  CLOSURE  and  that 
TERMINATES  and  PRESERVES  hold  where  P“*  is  P  with  initialization 
K'  substituted  for  K.  To  see  that  K"  satisfies  CLOSURE,  let 
XO  G  D (  f )  &  K"  ( XO  ,  X)  &  B  (X) 
i.  e. 

XO  G  D  (  f )  &  g(K(X0)  )=g(X)  &  B(X). 

By  SI1  and  SI2,  g  ( X)  =g  (H  (X)  )  ;  hence  g  ( K  ( XO ))  =g  (H  (X)  )  and 
XO  G  D(f)  &  K'  ( XO  ,H  (X)  )  , 

thus  CLOSURE  holds  for  K' .  TERMINATES  must  be  satisfied  since  the 
range  of  K "  contains  only  elements  of  D(g)  and  SI4  is  satisfied. 
Finally,  to  show  that  PRESERVES  holds,  we  will  prove  that  P  and 
P'  compute  the  same  function  (in  the  variables  of  interest)  over 
the  domain  D(f)  .  Let  XO  G  D(f)  .  On  input  XO ,  P  produces  a 
result  Y  satisfying 

K  ( XO )  =X  &  Y=e(  [TAIL]  (X)  ) 

for  some  state  X.  On  input  XO ,  P"  produces  a  result  Y"  satisfy¬ 
ing 

K'(X0,X')  &  Y"=e(  [TAIL]  (X")  ) 

for  some  state  X' .  These  may  be  rewritten 
K ( XO ) =X  &  Y=g (X) 

and 

g(K(X0) )=g(X')  &  Y'=g(X') 

using  the  definition  of  K'  and  the  fact  that  SI1-SI4  imply  TAIL 
computes  g.  These  imply 
Y=g(K(X0) )=Y', 

hence  P  and  P'  compute  the  same  function  over  D(f). 

Thus  a  tail  function  g  together  with  program  initialization 
K  can  be  used  to  construct  a  reduction  hypothesis.  The  (perhaps) 
surprising  result  in  the  following  theorem  is  that  an  adequate 
inductive  assertion  (by  itself)  is  a  reduction  hypothesis,  i.e. 
the  class  of  reduction  hypotheses  for  P  contains  the  class  of 
adequate  inductive  assertions  for  P. 

Theorem  5  -  If  A  is  an  adequate  inductive  assertion  for  P, 
then  A  is  a  reduction  hypothesis  for  P. 

Proof  -  We  must  show  A  satisfies  CLOSURE  and  that  TERMINATES 
and  PRESERVES  hold  where  P"  is  P  with  initialization  A  substi¬ 
tuted  for  K.  To  see  that  A  satisfies  CLOSURE,  let 
XO  G  D(f)  &  A  (XO  ,  X)  &  B(X)  . 

By  IA2,  A  (XO  ,H  (X)  )  ,  thus  CLOSURE  holds  for  A.  TERMINATES  follows 
directly  from  IA3.  Finally,  to  show  that  PRESERVES  holds,  we 
will  show  that  P  and  P"*  compute  the  same  function  (in  the  vari¬ 
ables  of  interest)  over  the  domain  D(f).  Let  XO  G  D(f).  On 
input  XO ,  P  will  produce  Y  satisfying 
K ( XO ) =X  &  Y=e( [TAIL]  (X)  ) 

for  some  state  X.  By  IA1,  A(X0,X).  By  IA3  the  WHILE  loop 


terminates  on  input  X  giving  some  result  T  where  ~B(T).  Repeated 
application  of  IA2  and  the  loop  property 
B(Z)  ->  [TAIL]  (Z)=  [TAIL]  (H  (Z)  ) 

gives  A(X0,T)  and  [TAIL]  (X)  =  [TAIL]  (T)  =Q  (T)  .  Thus  on  input  XO  ,  P 
produces  Y  satisfying 

(1)  A (XO ,T)  &  ~B  (T)  &  Y=e(Q(T)  ) 

for  some  T.  P"  on  the  other  hand,  with  input  XO  will  produces  Y" 
satisfying 

A(X0,X')  &  Y'=e{  [TAIL]  (X")  ) 

for  some  state  X".  Again  by  IA3,  the  WHILE  loop  terminates  on 
input  X'  giving  some  result  T'  where  ~B(T'’).  Repeated  applica¬ 
tion  of  IA2  and  the  above  loop  property  gives  A(X0,T'*)  and 
[TAIL]  (X")  =  [TAIL]  (T" ) =Q (T" )  .  Thus  P'  produces  Y'  satisfying 

(2)  A (XO ,T" )  &  ~B  (T" )  &  Y'=e(Q(T")) 

for  some  T' .  In  light  of  IA4,  (1)  and  (2)  imply  Y=Y' ,  thus  P  and 
P"  compute  the  same  function  over  D(f). 

Example  6  -  To  illustrate  these  ideas,  we  consider  again  the 
program  discussed  in  Example  2: 

{a>=0} 
a  :=  a*2; 
while  a> 0  do 
a  :=  a-1; 
b  :=  b+1 
od ; 
a  :=  b 

{ a=a0*2  +  bO } . 

The  following  are  possible  tail  functions  for  a  subgoal  induction 
proof  of  the  program 

gl  ( <a0 , b0> ) =a  <->  a0>  =  0  &  a=aO+bO 
g2 (<aO,bO>)=a  <->  a=MAX ( aO , 0 ) +b0 . 

Several  adequate  inductive  assertions  are 
A1 ( <a0 , b0> , <a , b> )  <->  b=b0+2*a0-a  &  a>=0 
A2 ( <a0 , b0> , <a , b> )  <->  b=b0+2*a0-a  &  a>=0  &  a0>=0 

A3 ( <a0 , b0> , <a , b> )  <->  b=b0+2*a0-a  &  a0>=a>=0 

A4(<a0,b0> ,<a,b>)  <->  b=bO+2*MAX ( aO , 0 ) -MAX ( a, 0 ) . 

By  Theorem  4, 

Kl ( <a0 , b0> , <a , b> )  <->  gl (K ( <a0 , b0> ) ) =gl ( <a , b> ) 
and 

K2 (<aO,bO> ,<a,b>)  <->  g2 (K( <a0 , b0> ) ) =g2 ( <a , b> ) , 

i.  e. 

Kl ( <a0 , b0> , <a , b> )  <->  2*a0>=0  &  a>=0  &  2*a0+b0=a+b 
and 

K2 (<aO,bO> ,<a,b>)  <->  MAX ( 2*a0 , 0 ) +bO=MAX  ( a, 0 ) +b 

are  reduction  hypotheses.  Theorem  5  states  that  each  of  A1-A4  is 
also  a  reduction  hypothesis.  Thus  any  of  these  can  be  used  in 
place  of  K'  in  the  proof  in  Example  2.  We  remark  that  the  rela¬ 
tion  K'  used  in  that  example  is  not  an  inductive  assertion,  hence 
the  class  of  adequate  inductive  assertions  is  a  proper  subset  of 
the  class  of  reduction  hypotheses. 
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Proof  Transformations 

Applying  the  verification  technique  proposed  above  based  on 
ITERATION'  and  BOUNDARY'  requires  ascertaining  the  input/output 
behavior  of  the  loop  initialization,  loop  body  and  program  text 
following  the  loop.  In  many  cases,  this  ascertaining  process  may 
be  difficult  (e.g.  if  these  program  segments  contain  additional 
WHILE  loops).  In  view  of  this  problem,  we  now  consider  the 
situation  which  occurs  when  the  input/output  behavior  of  the  pro¬ 
gram  text  following  the  WHILE  loop  is  not  explicitly  known.  The 
verification  problem  under  consideration,  then,  will  be  of  the 
form 

{XO  6  D(f)  &  X=X0} 

X  :=  K  ( X)  ? 
while  B(X)  do 
X  :=  H (X) 
od; 

T 

{e(X)=f (XO) } 

where  K,  B  and  H  are  as  before  and  T  represents  some  unspecified 
block  of  program  text.  Again  our  intention  is  to  prove/disprove 
the  program  correct  wrt  its  specification  function  f. 

Suppose  we  have  a  reduction  hypothesis  K'  for  P  and  can  show 
condition  ITERATION'  holds.  What  sense  does  BOUNDARY'  make  and 
how  can  we  proceed?  In  this  situation,  condition  BOUNDARY' 
corresponds  to  a  new  but  simpler  correctness  problem.  Specifi¬ 
cally,  we  must  prove 

{XO  G  D(f)  &  K'(X0,X)  &  ~B  (X)  } 

T 

{e(X)=f  (XO)}  . 

This  problem  is  simpler  than  the  original  due  to  the  fact  that 
the  loop  has  been  eliminated  from  the  program.  Thus  we  have  used 
a  reduction  hypothesis  and  condition  ITERATION'  to  transform  the 
correctness  question  for  the  original  program  P  to  a  correctness 
question  for  a  substantially  simpler  program.  If  the  program  T 
contains  further  looping  structures,  the  process  may  be  repeated. 

Example  7  -  The  following  program  operates  on  sequences  a, 
x,  y  and  z  of  natural  numbers.  The  function  head(s)  of  a 
nonempty  sequence  s  is  the  leftmost  element  of  s,  and  tail(s)  is 
s  with  head(s)  removed.  The  infix  operator  |  |  denotes  concatena¬ 
tion  of  sequences  and  NULL  denotes  the  sequence  with  0  elements. 
The  predicate  odd  ( a)  is  true  iff  a  is  odd. 
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y  chead  ( a)  > 
z  <head  ( a)  >  f  i  ; 


tail(y) 


ta il ( z) 


The  function  F  appearing  in  the  postcondition  is  defined  as 
F  (x,  y,  z,  a)  =  x  ||  y  ||  ODDS  (a)  ||  z  ||  EVENS  (a) 

where  ODDS  (a)  is  the  sequence  containing  the  odd  elements  of  a  in 
the  order  they  appear  in  a  (EVENS(a)  is  similar).  In  this  exam¬ 
ple,  T  corresponds  to  the  last  two  WHILE  loops  and  since  there  is 
no  initialization,  K  is  the  identity  function.  Since  CLOSURE 
holds  for  this  function,  K  itself  is  a  reduction  hypothesis. 
Corresponding  to  the  two  paths  through  the  first  loop  body,  there 
are  the  two  ITERATION''  conditions,  namely 
a^NULL,  odd(head(a)) 

->  F  (x,  y,  z,  a)  =F  (x,  y  |  |  <head(a)  >,  a,  tail  (a)  ) 
a^NULL,  ~odd ( head (a) ) 

->  F  (x,  y,  z,  a)  =F  (x,  y,  z  |  |  chead  (a)  >  ,  ta  il  (a)  )  . 
Once  these  have  been  proven,  the  verification  problem  then 
transforms  to 

{a=NULL} 

while  y  f  NULL  do 

x  :=  x  ||  chead  (y)  > ;  y  : 
od ; 

while  z  /  NULL  do 

x  :=  x  ||  chead  ( z)  > ;  z  : 
od 

{x=F  (xO  ,y0  ,  zO  , aO)  }  . 

Here  T  corresponds  to  the  last  loop  and  again  K  is  the  identity 
function,  CLOSURE  holds  and  hence  K  itself  is  a  reduction 
hypothesis.  The  proof  of  this  program  thus  consists  of  showing 
ITERATION" ,  i.e. 

a=NULL,  y/NULL  ->  F  (x,  y ,  z ,  a)  =F  (x  |  |  chead  ( y)  >  ,  ta  il  ( y)  ,  z ,  a) 
and  then  verifying 

{ a=NULL  &  y=NULL} 
while  z  NULL  do 

x  :=  x  ||  chead(z)>;  z  :=  tail(z) 
od 

{ x=F  ( xO  ,  yO  ,  zO  ,  aO ) }  . 

Again  using  the  identity  function  as  a  reduction  hypothesis,  this 
remaining  verification  problem  can  be  proved  by  showing 


=  tail(y) 
=  tail(z) 


while  a  /  NULL  do 

if  odd ( head ( a) )  then  y  : = 
else  z  := 

a  :=  tail(a) 
od ; 

while  y  ^  NULL  do 

x  :=  x  ||  chead  (y)>;  y  :  = 
od ; 

while  z  ji  NULL  do 

x  :=  x  ||  chead(z)>;  z  := 
od 

{x=F  (xO  ,y0  ,  zO  ,  aO)  } 


ITERATION"  and  BOUNDARY",  i.e. 
a=NULL ,  y=NULL ,  z^NULL  -> 

F  (x,  y,  z,  a)  =F  (x|  |  <head  (  z)  >  ,y,  tail(  z)  ,  a) 

and 

a=NULL,  y=NULL,  z=NULL  ->  x=F (x, y, z, a) . 

We  remark  that  none  of  the  program-oriented  reduction 
hypothesis  techniques  defined  in  Theorem  2  assume  any  knowledge 
of  the  characteristics  of  T.  Thus  these  techniques  can  be  used 
for  creating  a  reduction  hypothesis  in  the  circumstance  where  the 
input/output  behavior  of  this  subprogram  is  not  known.  The 
specification-oriented  heuristic  of  Theorem  3,  however,  cannot  be 
employed  without  this  knowledge. 

5.  Concluding  Remar ks 

From  a  practical  point  of  view,  it  is  difficult  to  carefully 
assess  the  relative  merits  of  the  proposed  program  verification 
methodology.  Preferences  by  people  involved  in  verifying  pro¬ 
grams  are  often  based  on  which  methodology  appears  to  be  more 
"natural”  or  "intuitive"  in  a  given  application.  Furthermore, 
answers  to  questions  such  as  these  no  doubt  are  largely  influ¬ 
enced  by  the  way  a  person  was  trained  in  the  field  of  software 
eng  ineer  ing . 

Despite  this  caveat,  we  offer  our  view  that  in  a  number  of 
cases,  it  seems  "easier"  to  create  a  reduction  hypothesis  than  it 
does  to  create  an  adequate  inductive  assertion  or  tail  function 
for  a  proof  by  the  standard  techniques  discussed  in  Section  3. 
Indeed,  it  is  difficult  to  argue  the  reverse  case  in  light  of  the 
results  of  that  section,  which  state  that  any  adequate  inductive 
assertion  is  a  reduction  hypothesis,  and  that  any  tail  function 
can  be  simply  transformed  to  one.  On  the  other  hand,  our  feeling 
is  that  the  verification  conditions  which  result  from  the  use  of 
a  reduction  hypothesis  seem  somewhat  more  complicated  than  their 
counterparts  in  either  of  these  standard  techniques.  This  is 
largely  due  to  the  necessity  of  having  three  distinct  data  states 
appearing  in  condition  ITERATION"  and  two  distinct  data  states 
appearing  in  condition  BOUNDARY".  Both  of  these  verification 
conditions,  however,  are  usually  easily  simplified  in  practice. 

In  light  of  these  comments,  an  interesting  direction  for 
future  research  is  the  translation  of  heuristics  such  as  those 
defined  in  Theorems  2  and  3  into  the  framework  of  standard 
correctness  techniques.  For  example,  what,  if  any,  is  the  impact 
of  these  correctness/incorrectness  preserving  transformations  on 
the  synthesis  of  an  inductive  assertion  or  tail  function  for  the 
program  under  consideration?  Preliminary  results  along  this  line 
appear  in  [Dunlop  &  Basili  81].  In  that  report,  heuristic 
SHORTCUT  is  applied  to  the  problem  of  synthesizing  tail  functions 
for  initialized  loop  programs  and  meets  with  a  fair  degree  of 
success. 
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The  solution  of  any  complex  problem  is  often  best  decomposed 
into  solutions  of  appropriate  simpler  problems.  This  is  an 
important  principle  on  which  our  verification  strategy  is  based. 
A  search  for  a  reduction  hypothesis  is  really  a  search  for  a 
suitable  simpler  problem  to  substitute  for  the  original.  As  dis¬ 
cussed  in  Section  4,  proving  condition  ITERATION'  for  this 
simpler  problem  decomposes  the  solution  of  the  new  problem  into 
the  solution  of  a  still  simpler  problem  and  so  on. 
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